University DDoS'd by its own seafood-curious malware-infected vending machines

2017's security headlines are starting to read like MadLibs

A US university saw its network traffic slow to a crawl thanks to an IoT malware infection that hit, among other things, its vending machines.

The unnamed university had its story told by Verizon Enterprise in a sneak preview [PDF] of its 2017 Data Breach Digest report.

The story, as told by an also unnamed senior IT staffer, goes like this: the university's network had been slowing to a crawl, prompting complaints from students. Upon investigating, the IT staff found that the school's DNS servers were buckling under heavy traffic loads.

Much of the lookup traffic (requesting seafood-related subdomains, oddly) was suspected to be from a botnet. After some investigation, the staff found that over 5,000 IoT (Internet of Things) devices around the campus – including vending machines – had been infected with malware through guessed default passwords and were being controlled remotely.

"Short of replacing every soda machine and lamp post, I was at a loss for how to remediate the situation," the IT admin writes. "We had known repeatable processes and procedures for replacing infrastructure and application servers, but nothing for an IoT outbreak."

Eventually, the staff were able to intercept network packets containing the plaintext password for the botnet. From there, they wrote a script that scrubbed the malware from all of the infected machines on campus.

The lesson? Our anonymous uni IT bod recommends that companies pay close attention to the network settings for IoT devices and, where possible, separate them from access to the internet and to other devices. The author also advises including IoT devices alongside regular IT asset inventories and using basic security measures like changing default credentials and rotating strong Wi-Fi network passwords.

"Short lived as it was, the impact from severing all of our IoT devices from the internet during that brief period of time was noticeable across the campus – and we were determined never to have a repeat incident," the IT staffer writes. ®